Cryptojacking: Digging for your own Treasure

Do you ever feel the Internet is especially slow these days? Or do you have ever wonder if maybe it’s just your computer that’s getting slower? Don’t rush to the IT shop to buy a new computer yet … you may have been a victim of a new trick used by malevolent hackers called browser “cryptojacking.”
What is cryptojacking? It’s a new trick used to mine cryptocurrencies on your computer using your CPU resources in the background without your knowledge. All that a cybercriminal has to do is load a script into your web browser that contains his unique site key to force you to enrich him.

Cryptominer tools don’t harm your computer, and nothing is stored on your hard drive, so they can’t be considered to be malware in that sense. However, they can be referred to as greyware, meaning they are identified as annoying software, especially when they are set up to consume all of your CPU power.

This all started last September when Coinhive (https://coinhive.com/) released a new technology to mine Monero cryptocurrency within the web browser. The script is written in JavaScript (JS), so it is easy to embed into any web page. Please note that this technology was demonstrated in 2013 by a group of former MIT students who created a company named TidBit to distribute a BitCoin miner within a web browser.

This has led some researchers to ask, “why they are using Monero?”

According to a Coinhive FAQ, they chose Monero (XMR) because the algorithm used to compute the hashes is heavy but better suitable to CPU limits, especially when compared to other crypto currencies where using GPUs (graphical processing units) would make a big huge difference. They mentioned that the benefit of using a GPU for Monero is about 2x, where it’s 10,000x for BitCoin/Ethereum!

The drawback of using JavaScript in a web browser, even with latest web technology like WebAssembly, however, is that the performance is 35% slower than a native miner.

As always, easy gains make technologies easy to be abused, like in recent cases involving AirAsia’s bigprepaid.com or the Politifact websites. The results are even worse with Monero usage as compared to Bitcoin, where at least wallets can be tracked and monitored. What this means is that Monero is also giving them an extra layer of anonymity.

In fact, prior to that the technology was tested in some popular download websites, such as ThePirateBay in mid-September. One TPB crew said they were testing this mining option as an alternative to ad banners. However, the implementation is inconsistent as the website staff sometimes hides the cryptomining technology and other times it runs in the open.

But the bigger question, some wonder, is if any of this is even legal.

In the US, there was a precedent with the TidBit case, stating that the use of a someone’s CPU power without consent is considered to be gaining illegal access to that person’s computer: meaning those found guilty of doing so can incur the same charges and penalties as any other computer hacker.

But how much could TPB get from using it? To answer that, people on Twitter started to do an estimation of the revenue that they could have generated. One such person, known as @torrentfreak, came up with the estimate below.

Figure 1: TPB estimated revenue when using crypto miner

The estimated revenue generated by TPB using this technology is roughly $12,000/month, but again it depends on a number of factors. The most important ones of course are the audience, and how long people stay put on a web site. The more the people give away time while surfing on the site, the more CPU cycles that can be borrowed. Which is why this technology is particularly effective on illegal video streaming web sites (see Figure 2) where people stay for hours watching movies or TV series.

Figure 2: Coinhive secretly inserted in some video streaming web site

How can you detect if you have been unwittingly donating your computing CPU power?

The easiest way is to check your CPU usage. If you feel your computer is slow, and you can hear the fans running full speed without any reason, that’s a good reason to run the remediation software below.
But of course, it’s also possible that this computer behavior is for a completely different reason.
At the same time, you could also be a victim of an online crypto miner even if your CPU usage is not at 100%. That would be the case if the website owner, for example, has set a throttle in order to not use all your available cycles, allowing them to remain under the radar longer.

Regardless, it’s always a good thing to know how to do the check. Your operating system provides some out-of-the-box tools. These are called “Task Manager” on Microsoft Windows ([Ctrl]+[Shift]+[Esc]), “Activity Monitor” on Mac, and “top” on the Linux command line.

Figure 3: Task Manager on MS Windows 10, showing CPU is 100% busy

Using these tools, you can also list all the processes running on your computer, allowing you to find the culprit by filtering real time CPU consumption, and then allowing you to then kill it.

Once you regain control of your computer, you will need to take action to block further compromise by such technologies.

Most of the time, a link to a crypto miner is embedded within a page, which means that the link to that malicious page can be blocked by using a WebFiltering tool. If the malicious JS was simply copied/pasted to a hosted site, then an AntiVirus tool will be able to detect the code and block it.

On top of that, many browser extensions have been updated to prevent inappropriate browser behavior (such as AdBlock) and some were developed to specifically identify and block cryptojacking, such as NoCoin or MinerBlock.

Figure 4: No Coin extension logo

Since Coinhive was released, many new alternatives have appeared, like JSEcoin, MineMyTraffic, CryptoLootMiner, CoinHave, and CoinNebula. They all have the same purpose and all work about the same. They are embedded in web pages using JS or an HTML IFRAME. As a result, the security industry is now facing another cat-and-mouse game where every week we are witnesses of new miner scripts or new obfuscated versions of existing ones.

Solution

The FortiGuard team is actively monitoring for any new threats that could affect our customers.

FortiGuard Web Filtering categorizes unwanted cryptominer hosted scripts as malicious websites.

FortiGuard Antivirus detects cryptominer scripts as riskware.

-= FortiGuard Lion Team =-

IOC

67c0907af5d865753dfe9d74309005a3f215e5130cfd6d756702fd9a95775354  Riskware/CoinHive

hxxp:[//]kisshentai.net[/]Content[/]js[/]c-hive.js rated as Malicious Websites
hxxps:[//]coin-hive.com[/]lib[/]coinhive.min.js rated as Malicious Websites

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.